anomaly-detection load

To set the KB file as the current KB for the specified virtual sensor, use the anomaly-detection load command in EXEC mode.

anomaly-detection virtual-sensor load [ initial | file name ]

Syntax Description

virtual-sensor

The virtual sensor. This is a case-sensitive character string containing 1 to 64 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.”

initial

The initial KB.

file

An existing KB file.

name

The KB filename. This is a case-sensitive character string containing 1 to 32 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.”

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator

Command History

Release

Modification

6.0(1)

This command was introduced.

Usage Guidelines

Note This command is IPS-specific. There is no related IOS command in Release12.0 or earlier.

Examples

The following example loads 2012-Mar-16-10_00_00 as the current KB file:

sensor# anomaly-detection vs0 load file 2012-Mar-16-10_00_00

sensor#

anomaly-detection save

To retrieve the current anomaly detection KB file and save it locally, use the anomaly-detection save command in EXEC mode.

anomaly-detection virtual-sensor save [ new-name ]

Syntax Description

virtual-sensor

The virtual sensor. This is a case-sensitive character string containing 1 to 64 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.”

new-name

(Optional) The new KB filename. This is a case-sensitive character string containing up to 32 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.”

Defaults

The default generated filename is YYYY-Mon-dd-hh_mm_ss . Where Mon is a three-letter abbreviation of the current month.

Command Modes

EXEC

Supported User Roles

Administrator

Command History

Release

Modification

6.0(1)

This command was introduced.

Usage Guidelines

An error is generated if anomaly detection is not active when you execute this command. You cannot overwrite the initial KB file. If the KB filename already exists, whether you choose a new name or use the default, the old KB file is overwritten.

There is a limit on the size the KB file can occupy. If a new KB is generated, and this limit is reached, the oldest KB (assuming it is not current or initial) is deleted.

Note This command is IPS-specific. There is no related IOS command in Release 12.0 or earlier.

Examples

The following example saves the current KB and stores it as my-kb:

sensor# anomaly-detection vs0 save my-kb

sensor#

attemptLimit

To lock accounts so that users cannot keep trying to log in after a certain number of failed attempts, use the attemptLimit number command in authentication submode. The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number.

attemptLimit number

Syntax Description

attemptLimit

Sets the limit on how many times a user can try to log in to the sensor.

number

Specifies the number of failed attempts before the account is locked.

Defaults

See the Syntax Description table for the default values.

Command Modes

Global configuration

Supported User Roles

Administrator

Command History

Release

Modification

5.0

This command was introduced.

Usage Guidelines

The attemptLimit command provides a way for an administrator to set the limit on how many times a user can try to log in to the sensor before the account is locked. A locked account is indicated by parenthesis in the show users all output.

When you configure account locking, local authentication, as well as RADIUS authentication, is affected. After a specified number of failed attempts to log in locally or in to a RADIUS account, the account is locked locally on the sensor. For local accounts, you can reset the password or use the unlock user username command to unlock the account. For RADIUS user accounts, you must use the unlock user username command to unlock the account.

Note For RADIUS users, the attempt limit feature is enforced only after the RADIUS user’s first successful login to the sensor.

Examples

The following example sets the attempt limit to 3 times.

sensor# configure terminal

sensor(config)# service authentication

sensor(config-aut)# attemptLimit 3

Related Commands

Command

Description

unlock user

Unlocks local and RADIUS accounts when users have been locked out after a certain number of failed attempts.

show users all

Shows all users with accounts on the sensor.

banner login

To create a banner message to display on the terminal screen, use the banner login command in global configuration mode. To delete the login banner, use the no form of this command. The banner message appears when a user accesses the CLI and is displayed before the username and password prompts.

banner login

no banner login

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

Global configuration

Supported User Roles

Administrator

Command History

Release

Modification

5.0(1)

This command was introduced.

Usage Guidelines

The banner login command lets you create a text message, up to 2500 characters, to display on the terminal screen. This message appears when you access the CLI. You can include a carriage return or question mark (?) in the message by pressing Ctrl-V followed by the carriage return or question mark. A carriage return is represented as ^M in the text message you create, but appears as an actual carriage return when the message is displayed to the user.

Press Ctrl-C at the Message prompt to cancel the message request.

Note The format for this command is different from the Cisco IOS Release 12.0 implementation.

Examples

The following example creates a message to display on the terminal screen at login:

sensor(config)# banner login

Banner[]: This message will be displayed on login. ^M Thank you!

At login, the following message appears:

This message will be displayed on login.

Thank you!

password:

block host

To block a host, use the block host command in EXEC mode. To remove the block on a host, use the no form of this command.

block host ip-address [timeout minutes ]

no block host ip-address

Syntax Description

ip-address

IP address of the host to be blocked.

timeout

(Optional) Specifies a timeout for the host block.

minutes

(Optional) Duration of host block in minutes.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Command History

Release

Modification

6.1(1)

This command was introduced.

Supported User Roles

Administrator, operator

Usage Guidelines

Use this command to add a manual host block. If you do not specify the timeout, the block is forever.

Note This command does not exist in Cisco IOS Release 12.0 or earlier.

Examples

The following example blocks the host with the IP address 10.2.3.1:

sensor# block host 10.2.3.1

sensor#

Related Commands

Command

Description

block network

Blocks a network.

block connection

Performs a connection block.

block network

To block a network, use the block network command in EXEC mode. To remove the block on a network, use the no form of this command.

block network ip-address/netmask [timeout minutes ]

no block network ip-address/netmask

Syntax Description

ip-address/netmask

Network subnet to be blocked in X.X.X.X./nn format. X.X.X.X specifies the sensor IP address as a 32-bit address written as four octets separated by periods where X = 0-255. nn specifies the number (1-32) of bits in the netmask.

timeout

(Optional) Specifies a timeout for the network block.

minutes

(Optional) Duration of network block in minutes.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Command History

Release

Modification

6.1(1)

This command was introduced.

Supported User Roles

Administrator, operator

Usage Guidelines

Use this command to add a manual network block. If you do not specify the timeout, the block is forever.

Note This command does not exist in Cisco IOS Release 12.0 or earlier.

Examples

The following example blocks the host with a subnet of 10.0.0.0/255.0.0.0:

sensor# block network 10.0.0.0/8

sensor#

Related Commands

Command

Description

block host

Blocks a host.

block connection

Performs a connection block.

block connection

To block a connection, use the block connection command in EXEC mode. To remove a connection block, use the no form of this command.

Defaults

Command Modes

Command History

Usage Guidelines

Use this command to add a manual connection block. If you do not specify the timeout, the block is forever.

Note This command does not exist in Cisco IOS Release 12.0 or earlier.

Examples

The following example blocks the connection between the source IP address 10.2.3.1 and the destination IP address 11.2.3.1 with the destination port 80, protocol TCP, and the timeout duration of 30 minutes:

Related Commands

clear database

To clear the nodes, alerts, inspectors, or the entire database for a given virtual sensor, use the clear database command in EXEC mode.

Use the clear database nodes commands to clear the overall packet database elements, including the packet nodes, TCP session information, and inspector lists. Use the clear database inspectors command to clear the inspectors lists contained within the nodes, which does not clear TCP session information or nodes. The inspector lists represent the packet work and observations collected during the sensor uptime. Use the clear database alerts command to clear alert database information, including the alerts nodes, Meta inspector information, summary state, and event count structures. This command discards summary alerts.

clear database [ virtual-sensor ] all | nodes | alerts | inspectors

Syntax Description

virtual-sensor

The name of the virtual sensor configured on the sensor. This is a case-sensitive character string containing 1-64 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.” If you do not provide the virtual sensor name, all virtual sensor databases are cleared.

Defaults

Command Modes

Command History

Usage Guidelines

Do not use this command except under the direction of TAC, or in a testing scenario where you want to clear accumulated state information and start with a clean slate.

Note This command does not exist in Cisco IOS Release 12.0 or earlier.

Examples

The following example clears the nodes database:

sensor# clear database nodes

Warning: Executing this command will delete database on all virtual sensors

Continue? [yes]: yes

sensor#

Related Commands

Command

Description

show statistics denied-attackers

Displays the list of denied attackers.

clear denied-attackers

To delete the current list of denied IP addresses, use the clear denied-attackers command in EXEC mode.

clear denied-attackers [ virtual-sensor ] [ ip-address ip-address ]

Syntax Description

virtual-sensor

(Optional) The name of the virtual sensor configured on the sensor. The clear operation is restricted to learned addresses associated with the identified virtual sensor. This is a case-sensitive character string containing 1 to 64 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.” If you do not provide the virtual sensor name, all denied attackers are cleared.

ip-address

(Optional) Specifies the IP address to clear.

ip-address

(Optional) If virtual-sensor is provided, the IP address will only be cleared on the requested virtual-sensor otherwise it will be cleared on all virtual-sensors. The IP address can be in the form of IPv4 or IPv6.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator

Command History

Release

Modification

5.0(1)

This command was introduced.

6.0(1)

Added optional virtual-sensor and ip-address parameters.

6.2(0)

Added support for both IPv4 or IPv6 in the ip-address parameter.

Usage Guidelines

The clear denied-attackers command lets you restore communication with previously denied IP addresses by clearing the list of denied attackers. You cannot select and delete individual IP addresses on this list. If you clear the denied attackers list, all IP addresses are removed from the list.

The virtual sensor and IP address are optional. If you provide the virtual sensor name, the IP address is cleared on the requested virtual sensor only; otherwise, it is cleared on all virtual sensors.

Note This command does not exist in Cisco IOS Release 12.0 or earlier.

Examples

The following example removes all IP addresses from the denied attackers list:

sensor# clear denied-attackers

Warning: Executing this command will delete all addresses from the list of attackers currently being denied by the sensor.

Continue with clear? [yes]: yes

sensor#

The following example clears all entries in the denied attackers list associated with virtual sensor vs0:

sensor# clear denied-attackers vs0

Warning: Executing this command will delete all addresses from the list of attackers being denied by virtual sensor vs0.

Warning: Executing this command will delete ip address 10.1.1.1 from the list of attackers being denied by virtual sensor vs0.

Continue with clear? [yes]: yes

sensor#

Related Commands

Command

Description

show statistics denied-attackers

Displays the list of denied attackers.

clear events

To clear the Event Store, use the clear events command in EXEC mode.

clear events

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Use this command to clear all events from the Event Store.

Note This command is IPS-specific. There is no related IOS command in Release 12.0 or earlier.

Examples

The following example clears the Event Store:

sensor# clear events

Warning: Executing this command will remove all events currently stored in the event store.

Continue with clear? []:yes

sensor#

clear line

To terminate another CLI session, use the clear line command in EXEC mode.

clear line cli-id [ message ]

Syntax Description

cli-id

The CLI ID number associated with the login session. See the show users command.

message

(Optional) If you select message , you are prompted for a message to send to the receiving user.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Command History

Release

Modification

5.0(1)

This command was introduced.

Supported User Roles

Administrator, operator, viewer

Note Operator and viewer can only clear lines with the same username as the current login.

Usage Guidelines

Use the clear line command to log out of a specific session running on another line. Use the message keyword if you want to include an optional message to display on the terminal of the login session you are terminating. Ctrl-C cancels the request and the carriage return sends the request with the specified message. The maximum message length is 2550 characters. Use Ctrl-V followed by a carriage return to put a carriage return in the message text.

You cannot use the clear line command to clear a service account login.

Note The message keyword is not supported in the Cisco IOS Release 12.0 version of this command.

Examples

The following example illustrates the output displayed when a user with administrator privileges attempts to log in after the maximum sessions have been reached:

Error: The maximum allowed CLI sessions are currently open, would you like to terminate one of the open sessions? [no] yes

CLI ID User Privilege

1253 admin1 administrator

1267 cisco administrator

1398 test operator

Enter the CLI ID to clear: 1253

Message:Sorry! I need access to the system, so I am terminating your session.

sensor#

The following example illustrates the message displayed on the terminal of admin1:

sensor#

***

***

Termination request from Admin0

***

Sorry! I need access to the system, so I am terminating your session.

The following example illustrates the output displayed when a user with operator or viewer privileges attempts to log in after the maximum sessions have been reached:

Error: The maximum allowed CLI sessions are currently open, please try again later.

Related Commands

Command

Description

show users

Displays information about users logged in to the CLI.

clear os-identification

To delete OS ID associations with IP addresses that were learned by the sensor through passive analysis, use the clear os-identification command in EXEC mode.

clear os-identification [ virtual-sensor ] learned [ ip-address ]

Syntax Description

virtual-sensor

(Optional) The name of the virtual sensor configured on the sensor. The clear operation is restricted to learned addresses associated with the identified virtual sensor. This is a case-sensitive character string containing 1 to 64 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.”

learned

(Optional) Specifies the learned IP address to clear.

ip-address

(Optional) The IP address to clear. The sensor clears the OS ID mapped to the specified IP address.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator

Command History

Release

Modification

6.0(1)

This command was introduced.

Usage Guidelines

The virtual sensor and IP address are optional. When you specify an IP address, only the OS identification for the specified IP address is cleared; otherwise, all learned OS identifications are cleared.

If you specify a virtual sensor, only the OS identification for the specified virtual sensor is cleared; otherwise, the learned OS identifications for all virtual sensors are cleared. If you specify an IP address without a virtual sensor, the IP address is cleared on all virtual sensors.

Examples

The following example clears the learned OS identification for IP address 10.1.1.12 on all virtual sensors:

sensor# clear os-identification learned 10.1.1.12

sensor#

Related Commands

Command

Description

show statistics os-identification

Displays statistics about OS identifications.

show os-identification

Shows the list of OS identifications.

clock set

To manually set the system clock on the appliance, use the clock set command in EXEC mode.

clock set hh:mm[:ss] month day year

Syntax Description

hh:mm[:ss]

Current time in hours (24-hour format), minutes, and seconds.

month

Current month (by name).

day

Current day (by date) in the month.

year

Current year (no abbreviation).

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

You do not need to set the system clock under the following circumstances:

When the system is synchronized by a valid outside timing mechanism, such as an NTP or VINES clock source.

When you have a router with calendar capability.

Use the clock set command if no other time sources are available. The time specified in this command is relative to the configured time zone.

Examples

The following example manually sets the system clock to 1:32 p.m. on July 29, 2011:

sensor# clock set 13:32 July 29 2011

sensor#

configure

To enter global configuration mode, use the configure terminal command in EXEC mode.

Command Modes

Usage Guidelines

Examples

The following example changes modes from EXEC to global configuration:

sensor# configure terminal

sensor(config)#

copy

To copy iplogs and configuration files, use the copy command in EXEC mode.

copy [/ erase ] source-url destination-url

copy iplog log-id destination-url

Syntax Description

erase

(Optional) Erases the destination file before copying.

Note This keyword only applies to current-config; the backup-config is always overwritten. If this keyword is specified for destination current-config, the source configuration is applied to the system default configuration. If it is not specified for destination current-config, the source configuration is merged with the current-config.

source-url

The location of the source file to be copied. Can be a URL or keyword.

destination-url

The location of the destination file to be copied. Can be a URL or keyword.

copy iplog

Copies the iplog. Use the iplog-status command to retrieve the log-id.

log-id

Log ID of the file to copy. Use the iplog-status command to retrieve the log-id.

If FTP or SCP is the selected protocol, you are prompted for a password. If no password is necessary for the FTP session, you can press Return without entering anything.

You can enter all necessary source and destination URL information and the username on the command line, or you can enter the copy command and have the sensor prompt you for any missing information.

Warning Copying a configuration file from another sensor can result in errors if the system sensing interfaces and virtual sensors are not configured the same.

Note The Cisco IOS Release 12.0 copy command is more flexible and allows copying between different destinations.

Examples

The following example copies a file into the current configuration from the machine with the IP address 10.1.1.1 and directory/filename ~csidsuser/configuration/cfg; the directory and file are relative to the home account of csiduser:

Warning: Replacing existing network-settings may leave the box in an unstable state.

Would you like to replace existing network settings (host-ipaddress/netmask/gateway/access-list) on sensor before proceeding? [no]: no

sensor#

The following example copies the iplog with id 12345 to the machine with the ip address 10.1.1.1, directory/filename ~csidsuser/iplog12345, the directory and file are relative to the csidsuser’s home account:

Defaults

Command Modes

Command History

Usage Guidelines

Use this command to copy configuration instances (security policies). An error is generated if the instance already exists or if there is not enough space available for the new instance.

Examples

The following example copies the signature definition named “sig0” to a new definition named “mySig”:

sensor# copy signature-definition sig0 mySig

sensor#

deny attacker

To add a single deny attacker IP address to the current list of denied attackers, use the deny attacker command in EXEC mode. To delete an attacker from the current denied attackers list, use the no form of this command.

Syntax Description

virtual-sensor

(Optional) Specifies the virtual sensor configured on the sensor.

name

(Optional) The name of the virtual sensor configured on the sensor. This is a case-sensitive character string containing 1 to 64 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.” If you do not provide the virtual sensor name, the attacker is denied for all virtual sensors.

ip-address

Specifies the attacker IP address to deny.

attacker-ip-address

The attacker IP address to deny. The IP address can be in the form of IPv4 or IPv6.

victim

Specifies the victim IP address to deny.

victim-ip-address

The victim IP address to deny. The IP address can be in the form of IPv4 or IPv6.

port

Specifies the victim port number.

port-number

The victim port number. The valid range is 0-65535.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator

Command History

Release

Modification

6.1(1)

This command was introduced.

6.2(0)

Added support for both IPv4 or IPv6 in the ip-address parameter.

Usage Guidelines

Use the deny attacker command to deny a specific attacker IP address. If you use the no form of this command without the parameters, all attackers currently being denied in the system are deleted.

Note This command does not exist in Cisco IOS Release 12.0 or earlier.

Examples

The following example adds a deny attacker with the IP address 10.1.1.1 and victim with the IP address 10.2.2.2 for virtual sensor vs0:

The following example removes the denied attacker from the list of attackers currently being denied by the system for all virtual sensors:

sensor# deny attacker ip-address 10.1.1.1 victim 10.2.2.2

Warning: Executing this command will delete this address from the list of attackers being denied by all virtual sensors.

Continue? [yes]: yes

sensor#

Related Commands

Command

Description

show statistics denied-attackers

Displays the list of denied attackers.

display serial

To direct all output to the serial connection, use the display serial command in global configuration mode. Use the no display-serial command to reset the output to the local terminal.

display-serial

no display-serial

Syntax Description

This command has no arguments or keywords.

Defaults

The default setting is no display-serial.

Command Modes

EXEC

Supported User Roles

Administrator, operator

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Using the display-serial command lets you view system messages on a remote console (using the serial port) during the boot process. The local console is not available as long as this option is enabled. Unless you set this option when you are connected to the serial port, you do not get any feedback until Linux has fully booted and enabled support for the serial connection.

Examples

The following example redirects output to the serial port:

sensor(config)# display-serial

sensor(config)#

downgrade

To remove the last applied signature update or service pack, use the downgrade command in global configuration mode.

downgrade

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

Global configuration

Supported User Roles

Administrator

Command History

Release

Modification

4.0(1)

This command was introduced.

Examples

The following example removes the most recently applied signature update from the sensor:

sensor(config)# downgrade

Warning: Executing this command will reboot the system and downgrade to IDS-K9-sp-4.1-4-S91.rpm. Configuration changes made since the last upgrade will be lost and the system may be rebooted.

Continue with downgrade?: yes

sensor#

If the downgrade command is not available, for example, if no upgrades have been applied, the following is displayed:

sensor# downgrade

Error: No downgrade available

sensor#

Related Commands

Command

Description

show version

Displays the version information for all installed OS packages, signature packages, and IPS processes running on the system.

end

To exit configuration mode, or any of the configuration submodes, use the end command in global configuration mode. This command exits to the top level EXEC menu.

end

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

All modes

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

4.0(1)

This command was introduced.

Examples

The following example shows how to exit configuration mode:

sensor# configure terminal

sensor(config)# end

sensor#

erase

To delete a logical file, use the erase command in EXEC mode.

erase { backup-config | current-config | packet-file }

Syntax Description

backup-config

The current running configuration. This configuration, unlike that for Cisco IOS 12.0, becomes persistent as the commands are entered. The file format is CLI commands.

Defaults

Command Modes

Command History

Usage Guidelines

Erasing the current configuration resets the configuration values back to default. It does not remove configuration instances created by the service command.

NoteThe Cisco IOS 12.0 version of this command lets you remove entire file systems. IPS does not support this concept.

Examples

The following example erases the current configuration file and returns all settings back to default. You may need to reboot the sensor with this command.

sensor# erase current-config

Warning: Removing the current-config file will result in all configuration being reset to default, including system information such as IP address.

User accounts will not be erased. They must be removed manually using the “no username” command.

Continue? []: yes

sensor#

erase ad-knowledge-base

To remove a KB from the sensor, use the erase ad-knowledge-base command in EXEC mode.

erase ad-knowledge-base [ virtual-sensor [ name ]]

Syntax Description

virtual-sensor

(Optional) The virtual sensor containing the KB file. This is a case-sensitive character string containing 1 to 64 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.”

name

(Optional) The KB filename. This is a case-sensitive character string containing up to 32 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.”

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator

Command History

Release

Modification

6.0(1)

This command was introduced.

Usage Guidelines

You cannot remove the KB file that is loaded as the current KB file. You cannot remove the initial KB file.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example removes 2012-Mar-16-10_00_00 from virtual sensor vs0:

sensor# erase ad-knowledge-base vs0 2012-Mar-16-10_00_00

sensor#

The following example removes all KBs except the file loaded as current and the initial KB from virtual sensor vs0.

sensor# erase ad-knowledge-base vs0

Warning: Executing this command will delete all virtual sensor 'vs0' knowledge bases except the file loaded as current and the initial knowledge base.

Continue with erase? : yes

sensor#

The following example removes all KBs except the file loaded as current and the initial KB from all virtual sensors.

sensor# erase ad-knowledge-base

Warning: Executing this command will delete all virtual sensor knowledge bases except the file loaded as current and the initial knowledge base.

Continue with erase? : yes

sensor#

erase license-key

To remove a license key from the sensor, use the erase license-key command in EXEC mode.

erase license-key

Syntax Description

This command has no arguments or keywords.

Command Default

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator

Command History

Release

Modification

7.1(3)

This command was introduced to 7.1.

Usage Guidelines

This command deletes an installed license from the IPS sensor without needing to restart the sensor or log in to the sensor using the service account.

Examples

The following example removes the license key from the sensor:

sensor# erase license-key

Warning: Executing this command will remove the license key installed on the sensor.

You must have a valid license key installed on the sensor to apply the Signature Updates and use the Global Correlation features.

Continue? []: yes

sensor#

exit

To exit a configuration mode or close an active terminal session and terminate privileged EXEC mode, use the exit command.

exit

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

All modes

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Use the exit command to return to the previous menu level. If you have made any changes in the contained submodes, you are asked if you want to apply them. If you select no, you are returned to the parent submode.

Examples

The following example shows how to return to the previous menu level:

sensor# configure terminal

sensor(config)# exit

sensor#

iplog

To start IP logging on a virtual sensor, use the iplog command in EXEC mode. Use the no form of this command to disable all logging sessions on a virtual sensor, a particular logging session based on log-id, or all logging sessions.

Command History

Usage Guidelines

When the log is created, the status is added . If and when the first entry is inserted in the log, the status changes to started . When the log is completed, because it has reached the packet count limit for example, the status changes to completed .

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example displays the status of all IP logs:

sensor# iplog-status

Log ID: 2425

IP Address: 10.1.1.2

Virtual Sensor: vs0

Status: started

Start Time: 2012/07/30 18:24:18 2011/07/30 12:24:18 CST

Packets Captured: 1039438

Log ID: 2342

IP Address: 10.2.3.1

Virtual Sensor: vs0

Status: completed

Event ID: 209348

Start Time: 2012/07/30 18:24:18 2011/07/30 12:24:18 CST

End Time: 2012/07/30 18:34:18 2011/07/30 12:34:18 CST

sensor#

The following example displays a brief list of all IP logs:

sensor# iplog-status brief

Log ID VS IP Address1 Status Event ID Start Date

2425 vs0 10.1.1.2 started N/A 2012/07/30

2342 vs0 10.2.3.1 completed 209348 2012/07/30

Related Commands

Command

Description

iplog

Starts IP logging on a virtual sensor.

list component-configurations

To display the existing configuration instances for a component, use the list component - configurations command in EXEC mode.

Related Commands

Searches the output of the more command and displays the output from the first instance of a specified string.

more exclude

Filters the more command output so that it excludes lines that contain a particular regular expression.

more include

Filters the more command output so that it displays only lines that contain a particular regular expression.

more begin

To search the output of any more command, use the more begin command in EXEC mode. This command begins unfiltered output of the more command with the first line that contains the regular expression specified.

more [current-config | backup-config] | begin regular-expression

Syntax Description

current-config

The current running configuration. This configuration, unlike that for Cisco IOS 12.0, becomes persistent as the commands are entered. The file format is CLI commands.

Command History

Usage Guidelines

The regular-expression argument is case sensitive and allows for complex matching requirements.

Examples

The following example shows how to search the more command output to include only the regular expression “ip”:

sensor# more current-config | include ip

host-ip 192.168.1.2/24,192.168.1.1

sensor#

Related Commands

Command

Description

more begin

Searches the output of the more command and displays the output from the first instance of a specified string.

more exclude

Filters the more command output so that it excludes lines that contain a particular regular expression.

show begin

Searches the output of certain show commands and displays the output from the first instance of a specified string.

show exclude

Filters the show command output so that it excludes lines that contain a particular regular expression.

show include

Filters the show command output so that it displays only lines that contain a particular regular expression.

packet

To display or capture live traffic on an interface, use the packet command in EXEC mode. Use the display option to dump live traffic or a previously captured file output directly to the screen. Use the capture option to capture the libpcap output into a local file. There is only one local file storage location, subsequent capture requests overwrite the existing file. You can copy the local file off the machine using the copy command with the packet-file keyword. You can view the local file using the display packet-file option. Use the info option to display information about the local file, if any. Use the packet display iplog id [verbose] [expression expression] to display iplogs.

Syntax Description

Interface name, interface type followed by slot/port. You are allowed to enter only a valid interface name existing in the system.

snaplen

(Optional) Specifies to use snapshot length.

length

(Optional) Snapshot length. The default is 0. A valid range is 0 to 1600.

count

(Optional) Specifies to capture packets.

count

(Optional) Number of packets to capture. If not specified, the capture terminates after the maximum file size has been captured. The valid range is 1 to 10000.

verbose

(Optional) Displays the protocol tree for each packet rather than a one-line summary.

expression

(Optional) Specifies to use an expression to filter the packet.

expression

(Optional) Packet capture filter expression. This expression is passed directly to tcpdump and must meet the tcpdump expression syntax.

id

Existing IP log ID to display.

file-info

Displays information about the stored packet file.

vlan and

Matches packets with VLAN headers.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer (display only)

Command History

Release

Modification

5.0(1)

This command was introduced.

Usage Guidelines

Storage is available for one local file. The size of this file varies depending on the platform. If possible, a message is displayed if the maximum file size is reached before the requested packet count is captured. Only one user can use the packet capture interface-name command at a time. A second user request results in an error message containing information about the user executing the capture. A configuration change involving the interface can result in abnormal termination of any packet command running on that interface.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Note If you use the expression option when monitoring packets with VLAN headers, the expression does not match properly unless vlan and is added to the beginning of the expression. For example, packet display iplog 926299444 verbose expression icmp Will NOT show ICMP packets; packet display iplog 926299444 verbose expression vlanand icmp WILL show ICMP packets. It is often necessary to use expression vlanand on the ASA 5500 AIP SSC-5, IDSM2, and IPS appliance interfaces connected to trunk ports.

The following example displays information about the stored capture file:

sensor# packet display file-info

Captured by: jsmith:5292, Cmd: packet capture fastethernet0/0

Start: 2012/01/07 11:16:21 CST, End: 2012/01/07 11:20:35 CST

Related Commands

Command

Description

iplog

Starts IP logging on a virtual sensor.

iplog-status

Displays a description of the available IP log contents.

password

To update your password on the local sensor, use the password command in global configuration mode. The administrator can also use the password command to change the password for an existing user. The administrator can use the no form of the command to disable a user account.

password

Administrator syntax: password [name [newPassword]]

no password name

Syntax Description

name

Specifies the users’s name. A valid username is 1 to 64 characters in length. The username must begin with an alphanumeric character, otherwise all characters except spaces are accepted.

newPassword

The password is requested when the user enters this command. Specifies the password for the user. A valid password is 8 to 32 characters in length. All characters except space are allowed.

Defaults

Command Modes

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Use the password command to update the current user's login password. The administrator can also use this command to modify the password for an existing user. The administrator is not prompted for the current password in this case.

You receive an error if you try to disable the last administrator account. Use the password command to reenable a disabled user account and reset the user password.

The password is protected in IPS.

Note The Cisco IOS 12.0 password command lets you enter the new password in the clear on the password line.

Examples

The following example shows how to modify the current user’s password:

sensor(config)# password

Enter Old Login Password: **********

Enter New Login Password: ******

Re-enter New Login Password: ******

sensor(config)#

The following example modifies the password for the user tester . Only administrators can execute this command:

sensor(config)# password tester

Enter New Login Password: ******

Re-enter New Login Password: ******

sensor(config)#

Related Commands

Command

Description

username

Creates users on the local sensor.

ping

To diagnose basic network connectivity, use the ping command in EXEC mode.

ping address [ count ]

Syntax Description

address

IP address of the system to ping.

count

Number of echo requests to send. If no value is entered, four requests are sent. The valid range is 1 to 10000.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Command History

Release

Modification

4.0(1)

This command was introduced.

Supported User Roles

Administrator, operator, viewer

Usage Guidelines

This command is implemented using the ping command provided by the operating system. The output from the command varies slightly between operating systems.

Examples

The following example shows the output of the ping command for Solaris systems:

sensor# ping 10.1.1.1

PING 10.1.1.1: 32 data bytes

40 bytes from 10.1.1.1: icmp_seq=0. time=0. ms

40 bytes from 10.1.1.1: icmp_seq=1. time=0. ms

40 bytes from 10.1.1.1: icmp_seq=2. time=0. ms

40 bytes from 10.1.1.1: icmp_seq=3. time=0. ms

----10.1.1.1 PING Statistics----

4 packets transmitted, 4 packets received, 0% packet loss

round-trip (ms) min/avg/max = 0/0/0

sensor#

The following example shows the output of the ping command for Linux systems:

privilege

To modify the privilege level for an existing user, use the privilege command in global configuration mode. You can also specify the privilege while creating a user with the username command.

privilege user name [ administrator | operator | viewer ]

Syntax Description

name

Specifies the users’s name. A valid username is 1 to 64 characters in length. The username must begin with an alphanumeric character, otherwise all characters except spaces are accepted.

administrator

Specifies the administrator privilege.

operator

Specifies the operator privilege.

viewer

Specifies the viewer privilege

Defaults

This command has no default behavior or values.

Command Modes

Global configuration

Supported User Roles

Administrator

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Use the command to modify the privilege for a user.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example changes the privilege of the user “tester” to operator.

sensor(config)# privilege user tester operator

Warning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins.

sensor(config)#

Related Commands

Command

Description

username

Creates users on the local sensor.

recover

To reimage the application partition with the application image stored on the recovery partition, use the recover command in privileged EXEC mode. The sensor is rebooted multiple times and most of the configuration—except for network, access list, and time parameters—is reset to the default settings.

More specifically, the following settings are maintained after a local recovery using the recover application-partition command: Network Settings (IP Address, Netmask, Default Gateway, Hostname, and Telnet (enabled/disabled)); Access List Entries/ACL0 Settings (IP Address and Netmask); and Time Settings (Offset and Standard Time Zone Name); the rest of the parameters are reset to the default settings.

recover application-partition

Syntax Description

application-partition

Reimages the application partition.

Defaults

This command has no default behavior or values.

Command Modes

Global configuration

Command History

Release

Modification

4.0(1)

This command was introduced.

Supported User Roles

Administrator

Usage Guidelines

Valid answers to the continue with recover question are yes or no . Y or N are not valid responses.

Shutdown begins immediately after the command is executed. Because shutdown may take a little time, you may continue to access CLI commands (access is not denied), but access is terminated without warning. If necessary, a period (.) will be displayed on the screen once a second to indicate progress while the applications are shutting down.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example reimages the application partition using the version 7.1(1)E4 image stored on the recovery partition:

sensor(config)# recover application-partition

Warning: Executing this command will stop all applications and re-image the node to version 7.1(1)E4. All configuration changes except for network settings will be reset to default.

Continue with recovery? []:yes

Request Succeeded

sensor(config)#

rename ad-knowledge-base

To rename an existing KB file, use the rename ad-knowledge-base command in EXEC mode.

Syntax Description

The virtual sensor containing the KB file. This is a case-sensitive character string containing 1 to 64 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.”

current

The currently loaded KB.

file

An existing KB file.

name

The KB filename. This is a case-sensitive character string containing up to 32 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.”

new-name

The new KB filename. This is a case-sensitive character string containing 1 to 32 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.”

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator

Command History

Release

Modification

6.0(1)

This command was introduced.

Usage Guidelines

If you use the current keyword, you are renaming the KB that is currently being used. You cannot rename the initial KB file.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example renames 2006-Mar-16-10_00_00 to my-kb:

sensor# rename ad-knowledge-base vs0 file 2006-Mar-16-10_00_00 my-kb

sensor#

reset

To shut down the applications running on the sensor and reboot the appliance, use the reset command in EXEC mode. If the powerdown option is included, the appliance is powered off if possible or left in a state where the power can be turned off.

reset [ powerdown ]

Syntax Description

powerdown

This option causes the sensor to power off after the applications are shutdown.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Command History

Release

Modification

4.0(1)

This command was introduced.

Supported User Roles

Administrator

Usage Guidelines

Valid answers to the continue with reset question are yes or no . Y or N are not valid responses.

Shutdown begins immediately after the command is executed. Access to the CLI commands is not denied during the shutdown; however, an open session is terminated without warning as soon as the shutdown is completed. If necessary, a period (.) will be displayed on the screen once a second to indicate progress while the applications are shutting down.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example reboots the sensor:

sensor# reset

Warning: Executing this command will stop all applications and reboot the node.

Continue with reset? []:yes

sensor#

service

To enter configuration menus for various sensor services, use the service command in global configuration mode. Use the default form of the command to reset the entire configuration for the application back to factory defaults.

To enter configuration mode for a logically named event action rules configuration, use the service event-action-rules name command in global configuration mode. The default keyword resets the configuration to factory settings. The no keyword removes the event action rules configuration from the sensor. This command only succeeds if the configuration is not assigned to a virtual sensor.

service event-action-rules name

default service event-action-rules name

no service event-action-rules name

To enter configuration mode for a logically named signature definition configuration, use the service signature-definition name command in global configuration mode. The default keyword resets the configuration to factory settings. The no keyword removes the signature definition configuration from the sensor. This command only succeeds if the configuration is not assigned to a virtual sensor.

service signature-definition name

default service signature-definition name

no service signature-definition name

To enter configuration mode for a logically named anomaly-detection configuration, use the service anomaly-detection name command in global configuration mode. The default keyword resets the configuration to factory settings. The no keyword removes the anomaly detection configuration from the sensor. This command only succeeds if the configuration is not assigned to a virtual sensor.

Configures the order of methods that should be used to authenticate users.

event-action-rules

Configures the parameters for an event action rules configuration.

external-product-interface

Configures the parameters for the external product interface.

global-correlation

Configures the parameters for global correlation.

health-monitor

Configures the health and security monitoring and reporting.

host

Configures the system clock settings, upgrades, and IP access list.

interface

Configures the sensor interfaces.

logger

Configures debug levels.

network-access

Configures parameters relating to ARC.

Note Network Access Controller is now known as Attack Response Controller (ARC). Although the service has a new name, the change is not reflected in the Cisco IPS 6.2 and later CLI. You will still see network-access and nac throughout the CLI.

notification

Configures the notification application.

signature-definition

Configures the parameters for a signature definition configuration.

ssh-known-hosts

Configures the known hosts keys for the system.

trusted-certificate

Configures the list of X.509 certificates for trusted certificate authorities.

web-server

Configures parameters relating to the web server such as web server port.

name

Logical name of the event action rules or signature definition configuration. If the logical name does not already exist, a new configuration file is created.

Usage Guidelines

This command lets you configure service-specific parameters. The items and menus in this configuration are service dependent and are built dynamically based on the configuration retrieved from the service when the command is executed.

Caution The modifications made in this mode and any submodes contained within it are applied to the service when you exit the service mode.

The command mode is indicated on the command prompt by the name of the service. For example, service authentication has the following prompt:

sensor(config-aut)#

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following command enters the configuration mode for the AAA service:

sensor(config)# service aaa

sensor(config-aaa)#

The following command enters the configuration mode for the analysis engine service:

sensor(config)# service analysis-engine

sensor(config-ana)#

The following command enters the configuration mode for the anomaly detection service:

sensor(config)# service anomaly-detection

sensor(config-ano)#

The following command enters the configuration mode for the authentication service:

sensor(config)# service authentication

sensor(config-aut)#

The following command enters the configuration mode for the event action rules service:

sensor(config)# service event-action-rules rules0

sensor(config-rul)#

The following command enters the configuration mode for the external product interface service:

sensor(config)# service external-product-interface

sensor(config-ext)#

The following command enters the configuration mode for the global correlation service:

sensor(config)# service global-correlation

sensor(config-glo)#

The following command enters the configuration mode for the health monitor service:

sensor(config)# service health-monitor

sensor(config-hea)#

The following command enters the configuration mode for the host service:

sensor(config)# service host

sensor(config-hos)#

The following command enters the configuration mode for the interface service:

sensor(config)# service interface

sensor(config-int)#

The following command enters the configuration mode for the logger service:

sensor(config)# service logger

sensor(config-log)#

The following command enters the configuration mode for the ARC service:

sensor(config)# service network-access

sensor(config-net)#

The following command enters the configuration mode for the SNMP notification service:

sensor(config)# service notification

sensor(config-not)#

The following command enters the configuration mode for the signature definition service:

sensor(config)# service signature-definition sig0

sensor(config-sig)#

The following command enters the configuration mode for the SSH known hosts service:

sensor(config)# service ssh-known-hosts

sensor(config-ssh)#

The following command enters the configuration mode for the trusted certificate service:

sensor(config)# service trusted-certificate

sensor(config-tru)#

The following command enters the configuration mode for the web server service:

sensor(config)# service web-server

sensor(config-web)#

setup

To configure basic sensor configuration, use the setup command in EXEC mode.

Added auto mode in setup and modified the setup command as required by 6.1(1).

7.0

Added global correlation.

7.1(8)

Added SSHv1 fallback.

Usage Guidelines

The sensor automatically calls the setup command when you connect to the sensor using a console cable and the sensor basic network settings have not yet been configured. The sensor does not call auto setup under the following conditions:

When initialization has already been successfully completed.

If you have recovered or downgraded the sensor.

If you have set the host configuration to default after successfully configuring the sensor using the auto setup.

When you enter the setup command, an interactive dialog called the System Configuration Dialog appears on the system console screen. The System Configuration Dialog guides you through the configuration process.

The values shown in brackets next to each prompt are the default values last set.

You must run through the entire System Configuration Dialog until you come to the item that you want to change. To accept default settings for items that you do not want to change, press Enter .

To return to the EXEC prompt without making changes and without running through the entire System Configuration Dialog, press Ctrl-C.

The facility also provides help text for each prompt. To access help text, enter the question mark (?) at a prompt.

When you complete your changes, the configuration that was created during the setup session appears. You are prompted to save this configuration. If you enter yes , the configuration is saved to disk. If you enter no , the configuration is not saved and the process begins again. There is no default for this prompt; you must enter either yes or no .

Valid ranges for configurable parameters are as follows:

IP Address/Netmask/Gateway: X.X.X.X/nn,Y.Y.Y.Y , where

X.X.X.X specifies the sensor IP address as a 32-bit address written as four octets separated by periods where X = 0-255.

nn specifies the number of bits in the netmask.

Y.Y.Y.Y specifies the default gateway as a 32-bit address written as four octets separated by periods where Y = 0-255.

Host Name: Case sensitive character string, up to 256 characters. Numbers, “_” and “-” are valid, spaces are not accepted.

Enter the clock settings in setup mode only if the system is not using NTP. NTP commands are provided separately.

You can configure daylight savings time either in recurring mode or date mode. If you select recurring mode, the start and end days are entered based on week, day, month, and time. If you select date mode, the start and end days are entered based on month, day, year, and time. Selecting disable turns off daylight savings time.

(Optional) Number of minutes to add during summertime. The default is 60.

timezone

Name of the time zone to be displayed when standard time is in effect.

hours

Hours offset from UTC.

hh:mm:ss

Current time in hours (24-hour format), minutes, and seconds.

You can also edit the default virtual sensor, vs0. You can assign promiscuous, inline pairs, and/or inline VLAN pairs to the virtual sensor, which in turn enables the assigned interfaces. After setup is complete, the virtual sensor is configured to monitor traffic.

While in setup, you can enable/disable the overrides rule associated with the deny-packet-inline action. You can modify all instances of event action rules configuration that are assigned to a virtual sensor. Event action rules configuration instances that are not assigned to a virtual sensor are not changed.

Examples

The following example shows the setup command and the System Configuration program:

sensor# setup

--- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.

User ctrl-c to abort configuration dialog at any prompt.

Default settings are in square brackets '[]'.

Current time: Mon Dec 3 07:15:11 2011

Setup Configuration last modified: Tue Nov 27 18:40:12 2009

Enter host name[sensor]:

Enter IP interface[172.21.172.25/8,172.21.172.1]:

Enter telnet-server status[enabled]:

Enter web-server port[8080]: 80

Modify current access list? [no]: yes

Current access list entries:

[1] 10.0.0.0/24

[2] 172.0.0.0/24

Delete: 1

Delete:

Permit: ?

% Please enter a valid IP address and netmask in the form x.x.x.x/nn. For example:192.168.1.0/24

Permit: 173.0.0.0/24

Permit:

Use DNS server for global collaboration?[yes]:

DNS server IP address[10.10.10.10]:

Use HTTP proxy server for global collaboration?[yes]:

HTTP proxy server IP address[128.107.241.169]:

HTTP proxy server Port number[8080]:

Modify system clock settings? [no]: yes

Modify summer time settings?[no]: yes

Use USA SummerTime Defaults?[yes]: yes

DST Zone[]: CDT

Offset[60]:

Modify system timezone? [no]: yes

Timezone[UTC]: CST

GMT Offset[-360]

Use NTP? [yes]:yes

NTP Server IP Address[]: 10.89.147.12

Use NTP Authentication?[no]: yes

NTP Key ID[]: 1

NTP Key Value[]: cisco

Network Participation level?[off]: partial

If you agree to participate in the SensorBase Network, Cisco will collect aggregated statistics about traffic sent to your IPS. This includes summary data on the Cisco IPS network traffic properties and how this traffic was handled by the Cisco appliances. We do not collect the data content of traffic or other sensitive business or personal information. All data is aggregated and sent via secure HTTP to the Cisco SensorBase Network servers in periodic intervals. All data shared with Cisco will be anonymous and treated as strictly confidential.

The following prompts will allow the creation/deletion of interfaces. The interfaces can be assigned to virtual sensors in the edit virtual sensor configuration section. If interfaces will be monitored promiscuously and not subdivided by vlan no additional configuration is necessary. Proceed to virtual sensor configuration to assign interfaces to the virtual sensor.

[1] Remove interface configurations.

[2] Add/Modify Inline Vlan Pairs.

[3] Add/Modify Promiscuous Vlan Groups.

[4] Add/Modify Inline Interface Pairs.

[5] Add/Modify Inline Interface Pair Vlan Groups.

[6] Modify interface default-vlan.

Option: 1

Inline Vlan Pairs:

[1] GigabitEthernet1/0:1 (Vlans: 2, 3)

[2] GigabitEthernet1/0:2 (Vlans: 344, 23)

[3] GigabitEthernet1/0:10 (Vlans: 20, 10)

Promiscuous Vlan Groups:

[4] GigabitEthernet1/1:3 (Vlans: 5-7,9)

Inline Interface Pair Vlan Groups:

[5] foo:3 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 200-299)

[6] foo:8 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 300-399)

Remove Interface: 6

Remove Interface:

[1] Remove interface configurations.

[2] Add/Modify Inline Vlan Pairs.

[3] Add/Modify Promiscuous Vlan Groups.

[4] Add/Modify Inline Interface Pairs.

[5] Add/Modify Inline Interface Pair Vlan Groups.

[6] Modify interface default-vlan.

Option: 2

Available Interfaces

[1] GigabitEthernet1/0

[2] GigabitEthernet2/1

[3] GigabitEthernet4/0

[4] GigabitEthernet4/1

Interface to modify: 2

Inline Vlan Pairs for GigabitEthernet2/1:

None

Subinterface number: 1

Description[Created via setup by user cisco]:

Vlan1: 5

Vlan2: 6

Subinterface number:

Available Interfaces

[1] GigabitEthernet1/0

[2] GigabitEthernet2/1

[3] GigabitEthernet4/0

[4] GigabitEthernet4/1

Interface to modify:

[1] Remove interface configurations.

[2] Add/Modify Inline Vlan Pairs.

[3] Add/Modify Promiscuous Vlan Groups.

[4] Add/Modify Inline Interface Pairs.

[5] Add/Modify Inline Interface Pair Vlan Groups.

[6] Modify interface default-vlan.

Option: 3

Available Interfaces

[1] GigabitEthernet1/1

[2] GigabitEthernet4/0

[3] GigabitEthernet4/1

Interface to modify: 1

Promiscuous Vlan Groups for GigabitEthernet1/1:

GigabitEthernet1/1:3 (Vlans: 5-7,9)

Subinterface number: 1

Description[Created via setup by user cisco]:

Vlans: 3,8,34-69

Subinterface number:

Available Interfaces

[1] GigabitEthernet1/1

[2] GigabitEthernet4/0

[3] GigabitEthernet4/1

Interface to modify:

[1] Remove interface configurations.

[2] Add/Modify Inline Vlan Pairs.

[3] Add/Modify Promiscuous Vlan Groups.

[4] Add/Modify Inline Interface Pairs.

[5] Add/Modify Inline Interface Pair Vlan Groups.

[6] Modify interface default-vlan.

Option: 4

Available Interfaces

GigabitEthernet4/0

GigabitEthernet4/1

Pair Name: test

Description[Created via setup by user cisco]:

Interface1: GigabitEthernet4/0

Interface2: GigabitEthernet4/1

[1] Remove interface configurations.

[2] Add/Modify Inline Vlan Pairs.

[3] Add/Modify Promiscuous Vlan Groups.

[4] Add/Modify Inline Interface Pairs.

[5] Add/Modify Inline Interface Pair Vlan Groups.

[6] Modify interface default-vlan.

Option: 5

Available inline interface pairs:

[1] foo (GigabitEthernet3/0, GigabitEthernet3/1)

[2] test (GigabitEthernet4/0, GigabitEthernet4/1)

Interface to modify: 1

Inline Interface Pair Vlan Groups for foo:

Subinterface: 3; Vlans: 200-299

Subinterface number: 1

Description[Created via setup by user cisco]:

Vlans: 100-199

Subinterface number:

Available inline interface pairs:

[1] foo (GigabitEthernet3/0, GigabitEthernet3/1)

[2] test (GigabitEthernet4/0, GigabitEthernet4/1)

Interface to modify:

[1] Remove interface configurations.

[2] Add/Modify Inline Vlan Pairs.

[3] Add/Modify Promiscuous Vlan Groups.

[4] Add/Modify Inline Interface Pairs.

[5] Add/Modify Inline Interface Pair Vlan Groups.

[6] Modify interface default-vlan.

Option: 6

GigabitEthernet0/0 default-vlan[0]:

GigabitEthernet1/0 default-vlan[0]:

GigabitEthernet1/1 default-vlan[0]:

GigabitEthernet2/0 default-vlan[0]:

GigabitEthernet2/1 default-vlan[0]:

GigabitEthernet3/0 default-vlan[0]: 100

GigabitEthernet3/1 default-vlan[0]: 100

GigabitEthernet4/0 default-vlan[0]:

GigabitEthernet4/1 default-vlan[0]:

[1] Remove interface configurations.

[2] Add/Modify Inline Vlan Pairs.

[3] Add/Modify Promiscuous Vlan Groups.

[4] Add/Modify Inline Interface Pairs.

[5] Add/Modify Inline Interface Pair Vlan Groups.

[6] Modify interface default-vlan.

Option:

[1] Edit Interface Configuration

[2] Edit Virtual Sensor Configuration

[3] Display configuration

Option: 3

Current interface configuration

Command control GigabitEthernet0/1

Unassigned:

Promiscuous:

GigabitEthernet2/1

Inline Vlan Pairs:

GigabitEthernet1/0:10 (Vlans: 20, 10)

Promiscuous Vlan Groups:

GigabitEthernet1/1:1 (Vlans: 3,8,34-39)

Inline Interface Pairs:

test (GigabitEthernet4/0, GigabitEthernet4/1)

Inline Interface Pair Vlan Groups:

foo:1 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 100-199)

Virtual Sensor: vs0

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

Promiscuous:

GigabitEthernet0/0

Inline Vlan Pairs:

GigabitEthernet1/0:1 (Vlans: 2, 3)

GigabitEthernet1/0:2 (Vlans: 344, 23)

Virtual Sensor: myVs

Anomaly Detection: myAd

Event Action Rules: myEvr

Signature Definition: mySigs

Promiscuous:

GigabitEthernet2/0

Promiscuous Vlan Groups:

GigabitEthernet1/1:3 (Vlans: 5-7,9)

Inline Interface Pair Vlan Groups:

foo:3 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 200-299)

[1] Edit Interface Configuration

[2] Edit Virtual Sensor Configuration

[3] Display configuration

Option: 2

[1] Remove virtual sensor.

[2] Modify “vs0” virtual sensor configuration.

[3] Modify “myVs” virtual sensor configuration.

[4] Create new virtual sensor.

Option: 1

Virtual sensors

[1] vs0

[2] myVs

Remove: 2

Remove:

[1] Remove virtual sensor.

[2] Modify "vs0” virtual sensor configuration.

[3] Create new virtual sensor.

Option: 2

Virtual Sensor: vs0

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

Promiscuous:

GigabitEthernet0/0

Inline Vlan Pairs:

[1] GigabitEthernet1/0:1 (Vlans: 2, 3)

[2] GigabitEthernet1/0:2 (Vlans: 344, 23)

Remove Interface: 2

Remove Interface:

Unassigned:

Promiscuous:

[1] GigabitEthernet2/1

[2] GigabitEthernet2/0

Inline Vlan Pairs:

[3] GigabitEthernet1/0:2 (Vlans: 344, 23)

[4] GigabitEthernet1/0:10 (Vlans: 20, 10)

Promiscuous Vlan Groups:

[5] GigabitEthernet1/1:1 (Vlans: 3,8,34-39)

[6] GigabitEthernet1/1:3 (Vlans: 5-7,9)

Inline Interface Pairs:

[7] test (GigabitEthernet4/0, GigabitEthernet4/1)

Inline Interface Pair Vlan Groups:

[8] foo:1 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 100-199)

[9] foo:3 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 200-299)

Add Interface: 4

Add Interface:

Current interface configuration

Command control GigabitEthernet0/1

Unassigned:

Promiscuous:

GigabitEthernet2/0

GigabitEthernet2/1

Inline Vlan Pairs:

GigabitEthernet1/0:2 (Vlans: 344, 23)

Promiscuous Vlan Groups:

GigabitEthernet1/1:1 (Vlans: 3,8,34-39)

GigabitEthernet1/1:3 (Vlans: 5-7,9)

Inline Interface Pairs:

test (GigabitEthernet4/0, GigabitEthernet4/1)

Inline Interface Pair Vlan Groups:

foo:1 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 100-199)

foo:3 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 200-299)

Virtual Sensor: vs0

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

Promiscuous:

GigabitEthernet0/0

Inline Vlan Pairs:

GigabitEthernet1/0:1 (Vlans: 2, 3)

GigabitEthernet1/0:10 (Vlans: 20, 10)

[1] Remove virtual sensor.

[2] Modify “myVs” virtual sensor configuration.

[3] Create new virtual sensor.

Option: 3

Name: newVs

Description[Created via setup by user cisco]:

Anomaly Detection Configuration:

[1] ad0

[2] myAd

[3] Create a new anomaly detection configuration

Option[3]: 2

Signature Definition Configuration:

[1] sig0

[2] mySigs

[3] Create new signature definition configuration

Option[3]: 2

Event Action Rules Configuration:

[1] rules0

[2] myEvr

[3] newRules

[4] Create new event action rules configuration

Option[4]: 2

Unassigned:

Promiscuous:

[1] GigabitEthernet2/0

[2] GigabitEthernet2/1

Inline Vlan Pairs:

[3] GigabitEthernet1/0:1 (Vlans: 2, 3)

Promiscuous Vlan Groups:

[4] GigabitEthernet1/1:1 (Vlans: 3,8,34-39)

[5] GigabitEthernet1/1:3 (Vlans: 5-7,9)

Inline Interface Pairs:

[6] test (GigabitEthernet4/0, GigabitEthernet4/1)

Inline Interface Pair Vlan Groups:

[7] foo:1 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 100-199)

[8] foo:3 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 200-299)

Add Interface: 1

Add Interface: 2

Add Interface:

Current interface configuration

Command control GigabitEthernet0/1

Unassigned:

Inline Vlan Pairs:

GigabitEthernet1/0:1 (Vlans: 2, 3)

Promiscuous Vlan Groups:

GigabitEthernet1/1:1 (Vlans: 3,8,34-39)

GigabitEthernet1/1:3 (Vlans: 5-7,9)

Inline Interface Pairs:

test (GigabitEthernet4/0, GigabitEthernet4/1)

Inline Interface Pair Vlan Groups:

foo:1 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 100-199)

foo:3 (GigabitEthernet3/0, GigabitEthernet3/1 Vlans: 200-299)

Virtual Sensor: vs0

Anomaly Detection: ad0

Event Action Rules: rules0

Signature Definitions: sig0

Promiscuous:

GigabitEthernet0/0

Inline Vlan Pairs:

GigabitEthernet1/0:1 (Vlans: 2, 3)

GigabitEthernet1/0:2 (Vlans: 344, 23)

GigabitEthernet1/0:10 (Vlans: 20, 10)

Virtual Sensor: newVs

Anomaly Detection: myAd

Event Action Rules: newRules

Signature Definition: mySigs

Promiscuous:

GigabitEthernet2/0

GigabitEthernet2/1

[1] Remove virtual sensor.

[2] Modify “vs0” virtual sensor configuration.

[3] Modify “newVs” virtual sensor configuration.

[4] Create new virtual sensor.

Option:

[1] Edit Interface Configuration

[2] Edit Virtual Sensor Configuration

[3] Display configuration

Option:

Modify default threat prevention settings? [no] yes

Virtual sensor vs0 is NOT configured to prevent a modified range of threats in inline mode. (Risk Rating 75-100)

show ad-knowledge-base files

To display the anomaly detection KB files available for a virtual sensor, use the show ad-knowledge-base files command in EXEC mode.

show ad-knowledge-base virtual-sensor files

Syntax Description

virtual-sensor

(Optional) The virtual sensor containing the KB file. This is a case-sensitive character string containing 1 to 64 characters. Valid characters are A-Z, a-z, 0-9, “-” and “_.”

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

6.0(1)

This command was introduced.

Usage Guidelines

The * before the filename indicates the KB file that is currently loaded. The current KB always exists (it is the initial KB after installation). It shows the currently loaded KB in anomaly detection, or the one that is loaded if anomaly detection is currently not active.

If you do not provide the virtual sensor, all KB files are retrieved for all virtual sensors.

The initial KB is a KB with factory-configured thresholds.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example displays the KB files available for all virtual sensors. The file 2011-Mar-16-10_00_00 is the current KB file loaded for virtual sensor vs0.

sensor# show ad-knowledge-base files

Virtual Sensor vs0

Filename Size Created

initial 84 04:27:07 CDT Wed Jan 28 2011

* 2011-Jan-29-10_00_01 84 04:27:07 CDT Wed Jan 29 2011

2011-Mar-17-10_00_00 84 10:00:00 CDT Fri Mar 17 2011

2011-Mar-18-10_00_00 84 10:00:00 CDT Sat Mar 18 2011

sensor#

show ad-knowledge-base thresholds

To display the thresholds for a KB, use the show ad-knowledge-base thresholds command in EXEC mode.

The following example displays thresholds contained in the current KB illegal zone, protocol other, and protocol number 1.

sensor# show ad-knowledge-base vs0 thresholds current zone illegal protocol other number 1

2011-Mar-16-10_00_00

Illegal Zone

Other Protocol 1

Scanner Threshold

>> User Configuration = 79

>> Knowledge Base = 50

Threshold Histogram

Destination IP 5 10 100

>> User Configuration: source IP 100 5 0

>> Knowledge Base: source IP 12 1 0

sensor#

show begin

To search the output of certain show commands, use the show begin command in EXEC mode. This command begins unfiltered output of the show command with the first line that contains the regular expression specified.

Command History

Usage Guidelines

The regular-expression argument is case sensitive and allows for complex matching requirements.

Examples

The following example shows the output beginning with the regular expression “ip”:

sensor# show configuration | begin ip

host-ip 172.21.172.25/8,172.21.172.1

host-name sensor

access-list 0.0.0.0/0

login-banner-text This message will be displayed on user login.

exit

time-zone-settings

offset -360

standard-time-zone-name CST

exit

exit

! ------------------------------

service interface

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

user-profiles mona

enable-password foobar

exit

exit

! ------------------------------

service notification

--MORE--

Related Commands

Command

Description

more begin

Searches the output of the more command and displays the output from the first instance of a specified string.

more exclude

Filters the more command output so that it excludes lines that contain a particular regular expression.

more include

Filters the more command output so that it displays only lines that contain a particular regular expression.

show exclude

Filters the show command output so that it excludes lines that contain a particular regular expression.

show include

Filters the show command output so that it displays only lines that contain a particular regular expression.

show clock

To display the system clock, use the show clock command in EXEC mode.

show clock [detail]

Syntax Description

detail

(Optional) Indicates the clock source (NTP or system) and the current summertime setting (if any).

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

The system clock keeps an “authoritative” flag that indicates whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. Table 2-2 shows the authoritative flags.

Table 2-2 Authoritative Flags

Symbol

Description

*

Time is not authoritative.

(blank)

Time is authoritative.

.

Time is authoritative, but NTP is not synchronized.

Examples

The following example shows NTP configured and synchronized:

sensor# show clock detail

12:30:02 CST Tues Dec 19 2011

Time source is NTP

Summer time starts 03:00:00 CDT Sun Apr 7 2011

Summer time ends 01:00:00 CST Sun Oct 27 2011

sensor#

The following example shows no time source configured:

sensor# show clock

*12:30:02 EST Tues Dec 19 2011

sensor#

The following example shows no time source is configured:

sensor# show clock detail

*12:30:02 CST Tues Dec 19 2011

No time source

Summer time starts 02:00:00 CST Sun Apr 7 2011

Summer time ends 02:00:00 CDT Sun Oct 27 2011

show configuration

See the more current-config command under the more command.

Command History

Release

Modification

4.0(2)

This command was added.

show events

To display the local event log contents, use the show events command in EXEC mode.

Syntax Description

alert

Displays alerts. Provides notification of some suspicious activity that may indicate an intrusion attack is in progress or has been attempted. Alert events are generated by the analysis engine whenever an IPS signature is triggered by network activity. If no level is selected (informational, low, medium, high), all alert events are displayed.

informational

Specifies informational alerts.

low

Specifies low alerts.

medium

Specifies medium alerts.

high

Specifies high alerts.

include-traits

Displays alerts that have the specified traits .

exclude-traits

Does not display alerts that have the specified traits .

traits

Trait bit position in decimal (0-15).

min-threat-rating

Specifies to show minimum threat ratings.

min-rr

Displays events with a threat rating above or equal to this value. The valid range is 0 to 100. The default is 0.

max-threat-rating

Displays events with a threat rating below or equal to this value. The valid range is 0 to 100. The default is 100.

max-rr

Specifies to show maximum threat ratings.

error

Displays error events. Error events are generated by services when error conditions are encountered. If no level is selected (warning, error, or fatal), all error events are displayed.

warning

Specifies warning errors.

error

Specifies error errors.

fatal

Specifies fatal errors.

NAC

Displays ARC requests (block requests).

Note Network Access Controller is now known as Attack Response Controller (ARC). Although the service has a new name, the change is not reflected in the Cisco IPS 6.2 and later CLI. You will still see network-access and nac throughout the CLI.

status

Displays status events.

hh:mm:ss

Starts time in hours (24-hour format), minutes, and seconds.

day

Starts day (by date) in the month.

month

Starts month (by name).

year

Starts year (no abbreviation).

past

Displays events starting in the past. The hh:mm:ss specify a time in the past to begin the display.

Usage Guidelines

The show events command displays the requested event types beginning at the requested start time. If no start time is entered, the selected events are displayed beginning at the current time. If no event types are entered, all events are displayed. Events are displayed as a live feed. You can cancel the live feed by pressing Ctrl-C .

Use the regular expression | include shunInfo with the show events command to view the blocking information, including source address, for the event.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example displays block requests beginning at 10:00 a.m. on July 25, 2011:

sensor# show events NAC 10:00:00 Jul 25 2011

The following example displays error and fatal error messages beginning at the current time:

sensor# show events error fatal error

The following example displays all events beginning at 10:00 a.m. on July 25, 2011:

sensor# show events 10:00:00 Jul 25 2011

The following example displays all events beginning 30 seconds in the past:

Related Commands

Searches the output of the more command and displays the output from the first instance of a specified string.

more exclude

Filters the more command output so that it excludes lines that contain a particular regular expression.

more include

Filters the more command output so that it displays only lines that contain a particular regular expression.

show begin

Searches the output of certain show commands and displays the output from the first instance of a specified string.

show include

Filters the show command output so that it displays only lines that contain a particular regular expression.

show health

To display the health and security status of the IPS, use the show health command in EXEC mode.

show health

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

6.1(1)

This command was introduced.

7.0(1)

Added global correlation and network participation.

Usage Guidelines

Use this command to display the health status for the health metrics tracked by the IPS and the security status for each configured virtual sensor. When the IPS is brought up, it is normal for certain health metric statuses to be Red until the IPS is fully initialized. Also, security statuses are not displayed until initialization is complete.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example displays the status of IPS health:

sensor# show health

Overall Health Status Green

Health Status for Failed Applications Green

Health Status for Signature Updates Green

Health Status for License Key Expiration Green

Health Status for Running in Bypass Mode Green

Health Status for Interfaces Being Down Green

Health Status for the Inspection Load Green

Health Status for the Time Since Last Event Retrieval Green

Health Status for the Number of Missed Packets Green

Health Status for the Memory Usage Not Enabled

Health Status for Global Correlation Green

Health Status for Network Participation Not Enabled

Security Status for Virtual Sensor vs0 Green

sensor#

show history

To list the commands you have entered in the current menu, use the show history command in all modes.

show history

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

All modes

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

The show history command provides a record of the commands you have entered in the current menu. The number of commands that the history buffer records is 50.

Examples

The following example shows the command record for the show history command:

sensor# show history

show users

show events

sensor#

show include

To filter the show command output so that it displays only lines that contain a particular regular expression, use the show include command in EXEC mode.

Command History

Usage Guidelines

The regular-expression argument is case sensitive and allows for complex matching requirements.

The show settings command output also displays header information for the matching request so that the context of the match can be determined.

Examples

The following example shows only the regular expression “ip” being included in the output:

sensor# show configuration | include ip

host-ip 172.21.172.25/8,172.21.172.1

sensor#

Related Commands

Command

Description

more begin

Searches the output of the more command and displays the output from the first instance of a specified string.

more exclude

Filters the more command output so that it excludes lines that contain a particular regular expression.

more include

Filters the more command output so that it displays only lines that contain a particular regular expression.

show begin

Searches the output of certain show commands and displays the output from the first instance of a specified string.

show exclude

Filters the show command output so that it excludes lines that contain a particular regular expression.

show inspection-load

To show a timestamp of the current time and last current inspection load percentage, use the show inspection-load command. Use the history keyword to show three histograms of the historical values of the inspection load percentage.

show inspection-load [history]

Syntax Description

history

(Optional) Shows a timestamp and three histograms of the historical values of the inspection load percentage.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

7.1(3)

The inspection-load extension of the show command was added.

Usage Guidelines

Executing the show inspection-load command shows a timestamp of the current time and last current inspection load percentage. Executing the show inspection-load history command shows a timestamp and three histograms of historical values of the inspection load percentage. The first histogram displays the load for 10-second intervals of the last 6 minutes. The second histogram displays the average load along with a maximum load level for each minute of the last 60 minutes. The third histogram displays the average and maximum load levels for each hour of the last 72 hours.

Examples

The following example shows the timestamp, last inspection load percentage, and three histograms:

show interfaces

To display statistics for all system interfaces, use the show interfaces command in EXEC mode. This command displays show interfaces management , show interfaces fastethernet , and show interface gigabitethernet .

Syntax Description

(Optional) Displays a summary of the usability status information for each interface.

FastEthernet

Displays the statistics for FastEthernet interfaces.

GigabitEthernet

Displays the statistics for GigabitEthernet interfaces.

Management

Displays the statistics for the Management interface.

Note Only platforms with external ports marked as Management support this keyword. The management interface for the remaining platforms is displayed in the show interfaces output based on the interface type, normally FastEthernet.

PortChannel

Displays the statistics for PortChannel interfaces

slot/port

Refer to the appropriate hardware manual for slot and port information.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

5.0(1)

The show interfaces group , show interfaces sensing , and show interfaces command-control commands were removed. The show interfaces FastEthernet , show interfaces GigabitEthernet , and show interfaces Management commands were added.

6.0(1)

The brief keyword was added.

7.1(1)

The PortChannel command was added.

Usage Guidelines

This command displays statistics for the command control and sensing interfaces. The clear option also clears statistics that can be reset.

Using this command with an interface type displays statistics for all interfaces of that type. Adding the slot and/or port number displays the statistics for that particular interface.

An * next to an entry indicates the interface is the command and control interface.

Note The show interface command output for the IPS 4510 and IPS 4520 does not include the total undersize packets or total transmit FIFO overruns.

Examples

The following example shows the interface statistics:

sensor# show interfaces

Interface Statistics

Total Packets Received = 0

Total Bytes Received = 0

Missed Packet Percentage = 0

Current Bypass Mode = Auto_off

MAC statistics from interface GigabitEthernet0/0

Media Type = TX

Missed Packet Percentage = 0

Inline Mode = Unpaired

Pair Status = N/A

Link Status = Down

Link Speed = N/A

Link Duplex = N/A

Total Packets Received = 0

Total Bytes Received = 0

Total Multicast Packets Received = 0

Total Broadcast Packets Received = 0

Total Jumbo Packets Received = 0

Total Undersize Packets Received = 0

Total Receive Errors = 0

Total Receive FIFO Overruns = 0

Total Packets Transmitted = 0

Total Bytes Transmitted = 0

Total Multicast Packets Transmitted = 0

--MORE--

The following example shows the brief output for interface statistics:

sensor# show interfaces brief

CC Interface Sensing State Link Inline Mode Pair Status

GigabitEthernet0/0 Enabled Up Unpaired N/A

* GigabitEthernet0/1 Enabled Up Unpaired N/A

GigabitEthernet2/1 Disabled Up Subdivided N/A

sensor#

show interfaces-history

To display historical statistics for all system interfaces, use the show interfaces-history command in EXEC mode. The historical information for each interface is maintained for three days with 60 seconds granularity. Use the show interfaces-history {FastEthernet | GigabitEthernet | Management | PortChannel} [traffic-by-hour | traffic-by-minute] command to display statistics for specific interfaces.

Syntax Description

Specifies the amount of time to go back in the past to begin the traffic display. The range for HH is 0 to 72. The range for MM is 0 to 59. The minimum value is 00:01 and the maximum value is 72:00.

FastEthernet

Displays the statistics for FastEthernet interfaces.

GigabitEthernet

Displays the statistics for GigabitEthernet interfaces.

Management

Displays the statistics for the Management interface.

Note Only platforms with external ports marked as Management support this keyword. The management interface for the remaining platforms is displayed in the show interfaces output based on the interface type, normally FastEthernet.

PortChannel

Displays the statistics for PortChannel interfaces

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

7.1(8)

This command was introduced.

Usage Guidelines

.Each record has the following details:

Total packets received

Total bytes received

FIFO overruns

Receive errors

Received Mbps

Missed packet percentage

Average load

Peak load

Note You must have health monitoring enabled to support the historic interface function.

Note Historical data for each interface for the past 72 hours is also included in the show tech-support command.

Note The show interface command output for the IPS 4510 and IPS 4520 does not include the total undersize packets or total transmit FIFO overruns.

show inventory

To display PEP information, use the show inventory command in EXEC mode. This command displays the UDI information that consists of PID, VID and SN of the sensor. If your sensor supports SFP/SFP+ modules and Regex accelerator cards, they are also displayed.

show inventory

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

5.0(1)

This command was introduced.

7.1(5)

This command was modified to display the SFP/SFP+ modules and Regex accelerator cards.

7.1(8)

This command was modified to display IPS 4300 series sensor power supplies.

Usage Guidelines

This is same as the show inventory Cisco IOS command required by Cisco PEP policy. The output of show inventory is different depending on the hardware.

show os-identification

To display OS IDs associated with IP addresses learned by the sensor through passive analysis, use the show os-identification command in EXEC mode.

show os-identification [ name ] learned [ ip-address ]

Syntax Description

name

(Optional) The name of the virtual sensor configured on the sensor. The show operation is restricted to learned IP addresses associated with the identified virtual sensor.

learned

Specifies the learned IP addresses.

ip-address

(Optional) The IP address to query. The sensor reports the OS ID mapped to the specified IP address.

Defaults

This command has no defaults or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

6.0(1)

This command was introduced.

Usage Guidelines

The IP address and virtual sensor are optional. If you specify an IP address, only the OS identification for the specified IP address is reported. Otherwise, all learned OS identifications are reported.

If you specify a virtual sensor, only the OS identification for the specified virtual sensor is displayed; otherwise, the learned OS identifications for all virtual sensors are displayed. If you specify an IP address without a virtual sensor, the output displays all virtual sensors containing the requested IP address.

Examples

The following example displays the OS identification for a specific IP address:

sensor# show os-identification learned 10.1.1.12

Virtual Sensor vs0:

10.1.1.12 windows

The following example displays the OS identification for all virtual sensors:

sensor# show os-identification learned

Virtual Sensor vs0:

10.1.1.12 windows

Virtual Sensor vs1:

10.1.0.1 unix

10.1.0.2 windows

10.1.0.3 windows

sensor#

Related Commands

Command

Description

show statistics os-identification

Displays the statistics for OS IDs.

clear os-identification

Delete OS ID associations with IP addresses that were learned by the sensor through passive analysis.

show privilege

To display your current level of privilege, use the show privilege command in EXEC mode.

show privilege

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Use this command to display your current level of privilege. A privilege level can only be modified by the administrator. See the username command for more information.

Examples

The following example shows the privilege of the user:

sensor# show privilege

Current privilege level is viewer

sensor#

Related Commands

Command

Description

username

Creates users on the local sensor.

show settings

To display the contents of the configuration contained in the current submode, use the show settings command in any service command mode.

Command History

Usage Guidelines

This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example shows the output for the show settings command in ARC configuration mode.

Note Network Access Controller is now known as Attack Response Controller (ARC). Although the service has a new name, the change is not reflected in the Cisco IPS 6.2 and later CLI. You will still see network-access and nac throughout the CLI.

sensor# configure terminal

sensor(config)# service network-access

sensor(config-net)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: true default: false

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 <defaulted>

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

user-profiles (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

cat6k-devices (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

router-devices (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

firewall-devices (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

sensor(config-net)#

The following example shows the show settings terse output for the signature definition submode.

Related Commands

show ssh host-keys

To display the known hosts table containing the public keys of remote SSH servers with which the sensor can connect, use the show ssh host-keys in EXEC mode.

show ssh host-keys [ipaddress]

Syntax Description

ipaddress

32-bit address written as 4 octets separated by periods. X.X.X.X where X=0-255

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

4.0(1)

This command was introduced.

4.1(1)

Bubble Babble and MD5 output to the command were added.

Usage Guidelines

Running this command without the optional IP address ID displays a list of the IP addresses configured with public keys. Running the command with a specific IP address displays the key associated with the IP address.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example shows the output of the show ssh host-keys command:

The show statistics anomaly-detection , denied-attackers , virtual-sensor , and os-identification commands display statistics for all the virtual sensors contained in the sensor. If you provide the optional name, the statistics for that virtual sensor are displayed.

Syntax Description

Note This option is not available for analysis engine, anomaly detection, host, OS identification, or network access statistics.

analysis-engine

Displays analysis engine statistics.

anomaly-detection

Displays anomaly detection statistics.

authentication

Displays authorization authentication statistics.

denied-attackers

Displays the list of denied IP addresses and the number of packets from each attacker.

event-server

Displays event server statistics.

event-store

Displays event store statistics.

external-product-interface

Displays external product interface statistics.

global-correlation

Display global correlation statistics.

host

Displays host (main) statistics.

logger

Displays logger statistics.

network-access

Displays ARC statistics.

Note Network Access Controller is now known as Attack Response Controller (ARC). Although the service has a new name, the change is not reflected in the Cisco IPS 6.2 and later CLI. You will still see network-access and nac throughout the CLI.

Usage Guidelines

This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example shows the authentication statistics:

sensor# show statistics authentication

General

totalAuthenticationAttempts = 9

failedAuthenticationAttempts = 0

sensor#

The following example shows the statistics for the Event Store:

sensor# show statistics event-store

Event store statistics

General information about the event store

The current number of open subscriptions = 1

The number of events lost by subscriptions and queries = 0

The number of queries issued = 1

The number of times the event store circular buffer has wrapped = 0

Number of events of each type currently stored

Debug events = 0

Status events = 129

Log transaction events = 0

Shun request events = 0

Error events, warning = 8

Error events, error = 13

Error events, fatal = 0

Alert events, informational = 0

Alert events, low = 0

Alert events, medium = 0

Alert events, high = 0

sensor#

The following example shows the logger statistics:

sensor# show statistics logger

The number of Log interprocessor FIFO overruns = 0

The number of syslog messages received = 27

The number of <evError> events written to the event store by severity

Fatal Severity = 0

Error Severity = 13

Warning Severity = 35

TOTAL = 48

The number of log messages written to the message log by severity

Fatal Severity = 0

Error Severity = 13

Warning Severity = 8

Timing Severity = 0

Debug Severity = 0

Unknown Severity = 26

TOTAL = 47

sensor#

The following example shows the ARC statistics:

sensor# show statistics network-access

Current Configuration

LogAllBlockEventsAndSensors = true

EnableNvramWrite = false

EnableAclLogging = false

AllowSensorBlock = false

BlockMaxEntries = 250

MaxDeviceInterfaces = 250

State

BlockEnable = true

sensor#

For the IPS 4510 and IPS 4520, at the end of the command output, there are extra details for the Ethernet controller statistics, such as the total number of packets received at the Ethernet controller, the total number of packets dropped at the Ethernet controller under high load conditions, and the total packets transmitted including the customer traffic packets and the internal keepalive packet count.

sensor# show statistics analysis-engine

Analysis Engine Statistics

Number of seconds since service started = 431157

Processing Load Percentage

Thread 5 sec 1 min 5 min

0 1 1 1

1 1 1 1

2 1 1 1

3 1 1 1

4 1 1 1

5 1 1 1

6 1 1 1

Average 1 1 1

The rate of TCP connections tracked per second = 0

The rate of packets per second = 0

The rate of bytes per second = 0

Receiver Statistics

Total number of packets processed since reset = 0

Total number of IP packets processed since reset = 0

Transmitter Statistics

Total number of packets transmitted = 133698

Total number of packets denied = 203

Total number of packets reset = 3

Fragment Reassembly Unit Statistics

Number of fragments currently in FRU = 0

Number of datagrams currently in FRU = 0

TCP Stream Reassembly Unit Statistics

TCP streams currently in the embryonic state = 0

TCP streams currently in the established state = 0

TCP streams currently in the closing state = 0

TCP streams currently in the system = 0

TCP Packets currently queued for reassembly = 0

The Signature Database Statistics.

Total nodes active = 0

TCP nodes keyed on both IP addresses and both ports = 0

UDP nodes keyed on both IP addresses and both ports = 0

IP nodes keyed on both IP addresses = 0

Statistics for Signature Events

Number of SigEvents since reset = 0

Statistics for Actions executed on a SigEvent

Number of Alerts written to the IdsEventStore = 0

Inspection Stats

Inspector active call create delete loadPct

AtomicAdvanced 0 2312 4 4 33

Fixed 0 1659 1606 1606 1

MSRPC_TCP 0 20 4 4 0

MSRPC_UDP 0 1808 1575 1575 0

MultiString 0 145 10 10 2

ServiceDnsUdp 0 1841 3 3 0

ServiceGeneric 0 2016 14 14 1

ServiceHttp 0 2 2 2 51

ServiceNtp 0 3682 3176 3176 0

ServiceP2PTCP 0 21 9 9 0

ServiceRpcUDP 0 1841 3 3 0

ServiceRpcTCP 0 130 9 9 0

ServiceSMBAdvanced 0 139 3 3 0

ServiceSnmp 0 1841 3 3 0

ServiceTNS 0 18 14 14 0

String 0 225 16 16 0

SweepUDP 0 1808 1555 1555 6

SweepTCP 0 576 17 17 0

SweepOtherTcp 0 288 6 6 0

TrojanBO2K 0 261 11 11 0

TrojanUdp 0 1808 1555 1555 0

GlobalCorrelationStats

SwVersion = 7.1(4.70)E4

SigVersion = 645.0

DatabaseRecordCount = 0

DatabaseVersion = 0

RuleVersion = 0

ReputationFilterVersion = 0

AlertsWithHit = 0

AlertsWithMiss = 0

AlertsWithModifiedRiskRating = 0

AlertsWithGlobalCorrelationDenyAttacker = 0

AlertsWithGlobalCorrelationDenyPacket = 0

AlertsWithGlobalCorrelationOtherAction = 0

AlertsWithAuditRepDenies = 0

ReputationForcedAlerts = 0

EventStoreInsertTotal = 0

EventStoreInsertWithHit = 0

EventStoreInsertWithMiss = 0

EventStoreDenyFromGlobalCorrelation = 0

EventStoreDenyFromOverride = 0

EventStoreDenyFromOverlap = 0

EventStoreDenyFromOther = 0

ReputationFilterDataSize = 0

ReputationFilterPacketsInput = 0

ReputationFilterRuleMatch = 0

DenyFilterHitsNormal = 0

DenyFilterHitsGlobalCorrelation = 0

SimulatedReputationFilterPacketsInput = 0

SimulatedReputationFilterRuleMatch = 0

SimulatedDenyFilterInsert = 0

SimulatedDenyFilterPacketsInput = 0

SimulatedDenyFilterRuleMatch = 0

TcpDeniesDueToGlobalCorrelation = 0

TcpDeniesDueToOverride = 0

TcpDeniesDueToOverlap = 0

TcpDeniesDueToOther = 0

SimulatedTcpDeniesDueToGlobalCorrelation = 0

SimulatedTcpDeniesDueToOverride = 0

SimulatedTcpDeniesDueToOverlap = 0

SimulatedTcpDeniesDueToOther = 0

LateStageDenyDueToGlobalCorrelation = 0

LateStageDenyDueToOverride = 0

LateStageDenyDueToOverlap = 0

LateStageDenyDueToOther = 0

SimulatedLateStageDenyDueToGlobalCorrelation = 0

SimulatedLateStageDenyDueToOverride = 0

SimulatedLateStageDenyDueToOverlap = 0

SimulatedLateStageDenyDueToOther = 0

AlertHistogram

RiskHistogramEarlyStage

RiskHistogramLateStage

ConfigAggressiveMode = 0

ConfigAuditMode = 0

RegexAccelerationStats

Status = Enabled

DriverVersion = 6.2.1

Devices = 1

Agents = 12

Flows = 7

Channels = 0

SubmittedJobs = 4968

CompletedJobs = 4968

SubmittedBytes = 72258005

CompletedBytes = 168

TCPFlowsWithoutLCB = 0

UDPFlowsWithoutLCB = 0

TCPMissedPacketsDueToUpdate = 0

UDPMissedPacketsDueToUpdate = 0

MemorySize = 1073741824

HostDirectMemSize = 0

MaliciousSiteDenyHitCounts

MaliciousSiteDenyHitCountsAUDIT

Ethernet Controller Statistics

Total Packets Received = 0

Total Received Packets Dropped = 0

Total Packets Transmitted = 13643"

sensor#

show tech-support

To display the current system status, use the show tech-support command in EXEC mode.

show tech-support [page] [ destination-url destination url ]

Syntax Description

page

(Optional) Causes the output to display one page of information at a time. Press Enter to display the next line of output or use the spacebar to display the next page of information. If page is not used, the output is displayed without page breaks.

destination-url

(Optional) Tag indicating the information should be formatted as HTML and sent to the destination following this tag. If this option is selected, the output is not displayed on the screen.

destination url

(Optional) The destination for the report file. If a URL is provided, the output is formatted into an HTML file and sent to the specified destination; otherwise the output is displayed on the screen.

Usage Guidelines

Cisco IOS version 12.0 does not support the destination portion of this command.

The exact format of the destination URL varies according to the file. You can select a filename, but it must be terminated by .html. The following valid types are supported:

Prefix

Source or Destination

ftp:

Destination URL for the FTP network server. The syntax for this prefix is: ftp://[[username@]location][/relativeDirectory]/filename ftp://[[username@]location][//absoluteDirectory]/filename

scp:

Destination URL for the SCP network server. The syntax for this prefix is: scp://[[username@]location][/relativeDirectory]/filename scp://[[username@]location][//absoluteDirectory]/filename

The report contains HTML-linked output from the following commands:

show interfaces

show statistics network-access

cidDump

Varlog Files

The /var/log/messages file has the latest logs. A new softlink called varlog has been created under the /usr/cids/idsRoot/log folder that points to the /var/log/messages file. Old logs are stored in varlog.1 and varlog.2 files. The maximum size of these varlog files is 200 KB. Once they cross the size limit the content is rotated. The content of varlog, varlog.1, and varlog.2 is displayed in the output of the show tech-support command. The log messages (/usr/cids/idsRoot/varlog files) persist only across sensor reboots. The old logs are lost during software upgrades.

Examples

The following example places the tech support output into the file ~csidsuser/reports/sensor1Report.html . The path is relative to csidsuser’s home account:

show tls fingerprint

To display the TLS certificate fingerprint of the server, use the show tls fingerprint in EXEC mode.

show tls fingerprint

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example shows the output of the show tls fingerprint command:

sensor# show tls fingerprint

MD5: 1F:94:6F:2E:38:AD:FB:2C:42:0C:AE:61:EC:29:74:BB

SHA1: 16:AC:EC:AC:9D:BC:84:F5:D8:E4:1A:05:C4:01:BB:65:7B:4F:FC:AA

sensor#

Related Commands

Command

Description

tls generate-key

Regenerates the self-signed X.509 certificate of the server.

show tls trusted-hosts

To display the sensor’s trusted hosts, use the show tls trusted-hosts command in EXEC mode.

show tls trusted-hosts [ id ]

Syntax Description

id

1 to 32 character string uniquely identifying the authorized key. Numbers, “_” and “-” are valid; spaces and ‘?’ are not accepted.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Running this command without the optional ID displays a list of the configured IDs in the system. Running the command with a specific ID displays the fingerprint of the certificate associated with the ID.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example shows the output from the show tls trusted-hosts command:

sensor# show tls trusted-hosts 172.21.172.1

MD5: 1F:94:6F:2E:38:AD:FB:2C:42:0C:AE:61:EC:29:74:BB

SHA1: 16:AC:EC:AC:9D:BC:84:F5:D8:E4:1A:05:C4:01:BB:65:7B:4F:FC:AA

sensor#

Related Commands

Command

Description

tls trusted-host

Adds a trusted host to the system.

show tls trusted-root-certificates

To display the trusted root certificates of the sensor, use the show tls trusted-root-certificates command in EXEC mode.

show tls trusted-root-certificates

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator

Command History

Release

Modification

7.1(9)

This command was introduced.

Usage Guidelines

This command has no specific usage guidelines.

Examples

The following example shows the output from the show tls trusted-root-certificates command:

Related Commands

show users

To display information about users currently logged in to the CLI, use the show users command in EXEC mode:

show users [ all ]

Syntax Description

all

(Optional) Lists all user accounts configured on the system regardless of current login status.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer (can only view their own logins)

Command History

Release

Modification

4.0(1)

This command was introduced.

4.1(1)

Updated this command to display locked accounts. Limited viewer display for show users all .

Usage Guidelines

For the CLI, this command displays an ID, username, and privilege. An '*' next to the description indicates the current user. A username surrounded by parenthesis “( )” indicates that the account is locked. An account is locked if the user fails to enter the correct password in X subsequent attempts. Resetting the locked user’s password with the password command unlocks an account.

The maximum number of concurrent CLI users allowed is based on platform.

Note The output for this command is different from the Cisco IOS 12.0 command.

Examples

The following example shows the output of the show users command:

sensor# show users

CLI ID User Privilege

1234 notheruser viewer

* 9802 curuser operator

5824 tester administrator

The following example shows user tester2’s account is locked:

sensor# show users all

CLI ID User Privilege

1234 notheruser viewer

* 9802 curuser operator

5824 tester administrator

(tester2) viewer

foobar operator

The following example shows the show users all output for a viewer:

sensor# show users all

CLI ID User Privilege

* 9802 tester viewer

5824 tester viewer

Related Commands

Command

Description

clear line

Terminates another CLI session.

show version

To display the version information for all installed OS packages, signature packages, and IPS processes running on the system, use the show version command in EXEC mode.

show version

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator , operator, viewer

Command History

Release

Modification

4.0(1)

This command was introduced.

7.1(5)

Added SwitchApp to the output to support the 4500 series sensors.

Usage Guidelines

The output for the show version command is IPS-specific and differs from the output for the Cisco IOS command.

The license information follows the serial number and can be one of the following:

No license present

Expired license: <expiration-date>

Valid license, expires: <expiration-date>

Valid demo license, expires: <expiration-date>

where <expiration-date> is the form dd-mon-yyyy, for example, 04-dec-2004.

Note The * before the upgrade history package name indicates the remaining version after a downgrade is performed. If no package is marked by *, no downgrade is available.

Examples

The following example shows the output for the show version command:

sensor# show version

Application Partition:

Cisco Intrusion Prevention System, Version 7.1(1)E4

Host:

Realm Keys key1.0

Signature Definition:

Signature Update S518.0 2011-10-04

OS Version: 2.6.29.1

Platform: ASA5585-SSP-IPS20

Serial Number: JAF1350ABSF

Licensed, expires: 04-Oct-2011 UTC

Sensor up-time is 4:32.

Using 10378M out of 11899M bytes of available memory (87% usage)

system is using 25.1M out of 160.0M bytes of available disk space (16% usage)

application-data is using 65.4M out of 171.4M bytes of available disk space (40%

usage)

boot is using 56.1M out of 71.7M bytes of available disk space (83% usage)

application-log is using 494.0M out of 513.0M bytes of available disk space (96%

ssh authorized-key

To add a public key to the current user for a client allowed to use RSA1 or RSA2 authentication to log in to the local SSH server, use the ssh authorized-key command in global configuration mode. Use the no form of this command to remove an authorized key from the system.

Related Commands

Command

Description

show ssh server-key

Displays the SSH server’s host key and host key’s fingerprint.

ssh host-key

To add an entry to the known hosts table, use the ssh host-key command in global configuration mode. You can use SSHv1 or SSHv2. For SSHv1 if the modulus, exponent, and length are not provided, the system displays the bubble babble for the requested IP address and allows you to add the key to the table. Use the no form of this command to remove an entry from the known hosts table.

Command Modes

Command History

Usage Guidelines

The ssh host-key command adds an entry to the known hosts table. To modify a key for an IP address, the entry must be removed and recreated.

If the modulus, exponent, and length are not provided, the SSH server at the specified IP address is contacted to obtain the required key over the network. The specified host must be accessible at the moment the command is issued.

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example shows how to add an entry to the known hosts table for 10.1.2.3:

Would you like to add this to the known hosts table for this host? [yes]

sensor(config)#

Related Commands

Command

Description

show ssh host-key

Displays the known hosts table containing the public keys of remote SSH servers with which the sensor can connect.

terminal

To modify terminal properties for a login session, use the terminal command in EXEC mode.

terminal [ length screen-length ]

Syntax Description

screen-length

Sets the number of lines on the screen. This value is used to determine when to pause during multiple-screen output. A value of zero results in no pause when the output exceeds the screen length. The default is 24 lines. This value is not saved between login sessions.

Defaults

See the Syntax Description table for the default values.

Command Modes

EXEC

Supported User Roles

Administrator, operator, viewer

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

The terminal length command sets the number of lines that are displayed before the --more-- prompt is displayed.

Examples

The following example sets the CLI to not pause between screens for multiple-screen displays:

sensor# terminal length 0

sensor#

The following example sets the CLI to display 10 lines per screen for multiple-screen displays:

sensor# terminal length 10

sensor#

tls generate-key

To regenerate the server’s self-signed X.509 certificate, use the tls generate-key in EXEC mode. An error is returned if the host is not using a self-signed certificate.

tls generate-key

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

EXEC

Supported User Roles

Administrator

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following example shows how to generate the server’s self-signed certificate:

sensor(config)# tls generate-key

MD5: 1F:94:6F:2E:38:AD:FB:2C:42:0C:AE:61:EC:29:74:BB

SHA1: 16:AC:EC:AC:9D:BC:84:F5:D8:E4:1A:05:C4:01:BB:65:7B:4F:FC:AA

sensor(config)#

Related Commands

Command

Description

show tls fingerprint

Displays the server’s TLS certificate fingerprint.

tls trusted-host

To add a trusted host to the system, use the tls trusted-host command in global configuration mode. Use the no form of the command to remove a trusted host certificate.

tls trusted-host ip-address ip-address [port port]

no tls trusted-host ip-address ip-address [port port]

no tls trusted-host id id

Syntax Description

ip-address

IP address of host to add or remove.

port

(Optional) Port number of host to contact. The default is port 443.

Defaults

See the Syntax Description table for the default values.

Command Modes

Global configuration

Supported User Roles

Administrator, operator

Command History

Release

Modification

4.0(1)

This command was introduced.

4.0(2)

Added optional port. Added no command to support removal based on ID.

Usage Guidelines

This command retrieves the current fingerprint for the requested host/port and displays the result. You can choose to accept or reject the fingerprint based on information retrieved directly from the host being requested to add.

Each certificate is stored with an identifier field. For IP address and default port, the identifier field is ipaddress , for IP address and specified port, the identifier field is ipaddress:port .

Note This command is IPS-specific. There is no related IOS command in version 12.0 or earlier.

Examples

The following command adds an entry to the trusted host table for IP address 172.21.172.1, port 443:

upgrade

To apply a service pack, signature update, or image upgrade, use the upgrade command in global configuration mode.

upgrade source-url

Syntax Description

source-url

The location of the upgrade to retrieve.

Defaults

This command has no default behavior or values.

Command Modes

Global configuration

Supported User Roles

Administrator

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

From the command line, you can enter all necessary source and destination URL information and the username. If you enter only the command upgrade followed by a prefix (ftp: or scp:), you are prompted for any missing information, including a password where applicable.

The directory specification should be an absolute path to the desired file. For recurring upgrades, do not specify a filename. You can configure the sensor for recurring upgrades that occur on specific days at specific times, or you can configure a recurring upgrade to occur after a specific number of hours have elapsed from the initial upgrade.

The exact format of the source URLs varies according to the file. The following valid types are supported:

Prefix

Source or Destination

ftp:

Source URL for the FTP network server. The syntax for this prefix is: ftp://[[username@]location][/relativeDirectory]/filename ftp://[[username@]location][//absoluteDirectory]/filename

scp:

Source URL for the SCP network server. The syntax for this prefix is: scp://[[username@]location][/relativeDirectory]/filename scp://[[username@]location][//absoluteDirectory]/filename

http:

Source URL for the web server. The syntax for this prefix is: http://[[username@]location][/directory]/filename

https:

Source URL for the web server. The syntax for this prefix is: https://[[username@]location][/directory]/filename

Note This command does not exist in Cisco IOS 12.0 or earlier.

Examples

The following example prompts the sensor to immediately check for the specified upgrade. The directory and path are relative to the tester’s user account.

sensor(config)# upgrade scp://tester@10.1.1.1/upgrade/sp.rpm

Enter password: *****

Re-enter password: ****

unlock user

To unlock local and RADIUS accounts after users have been locked out after a certain number of failed attempts, use the unlock user username command in global configuration mode. You must be administrator to unlock user accounts.

unlock user username

Syntax Description

unlock user

Unlocks the account of the user.

username

Specifies the username.

Defaults

This command has no default behavior or values.

Command Modes

Global configuration

Supported User Roles

Administrator

Command History

Release

Modification

7.1(3)

This command was introduced to the 7.1 train.

Usage Guidelines

The unlock user command provides a way for an administrator to unlock a local or RADIUS account for a user who has exceeded the failed attempt limit. A locked account is indicated by parenthesis in the show users all output.

Examples

The following example unlocks the user jsmith.

sensor# configure terminal

sensor(config)# unlock user jsmith

Related Commands

Command

Description

attemptLimit

Sets the number of login attempts before the user account is locked.

show users all

Shows all users with accounts on the sensor.

username

To create users on the local sensor, use the username command in global configuration mode. You must be administrator to create users. Use the no form of the command to remove a user from the sensor. This removes the users from both CLI and web access.

username name [password password] [privilege privilege]

no username name

Syntax Description

name

Specifies the username. A valid username is 1 to 64 characters in length. The username must begin with an alphanumeric otherwise all characters are accepted.

password

Specifies the password for the user.

password

A valid password is 8 to 32 characters in length. All characters except space are allowed.

Usage Guidelines

If the password is not provided on the command line, the user is prompted. Use the password command to change the password for the current user or for a user already existing in the system. Use the privilege command to change the privilege for a user already existing in the system.

Examples

The following example adds a user called tester with a privilege of viewer and the password testerpassword.

sensor(config)# username tester password testerpassword

The following example shows the password being entered as protected:

sensor(config)# username tester

Enter Login Password: **************

Re-enter Login Password: **************

The following command changes the privilege of user “tester” to operator: